Why Double NAT is EVIL!

Note: In theory, NAT works. Thus, two NATs also work, in theory. Double NAT just increases the "chance" of something going wrong, e.g. an overly helpufl SIP ALG, port fwarding being in the way, etc. Below is ONE possible example, in practice, of when double NAT could go wrong: 

ref: http://blogs.forethought.net/blog/?p=12 

NAT, for those who haven’t already opened a new tab on Google to look it up, is “Network Address Translation”. It’s a technology that maps between public internet addresses (such as 216.241.32.130, the IP for our web site www.fonality.com), and private addresses (such as 192.168.1.2). NAT is what prevented us from running out of IP addresses a long time ago, as there are only about 2.5 billion usable IP addresses, and far more than 2.5 billion devices on the Internet.

NAT translates between the internal addresses you use on your home, or your office network, and public addresses.

NAT is also used as a fireall technology as it effectively prevents any traffic from flowing past a router, that is not part of an established connection - generally one that you initiated.

So, NAT is a good thing but of course comes with a price. There are certain internet
protocols that NAT breaks, such as SIP for Voice over IP, FTP (file transfer), and
any number of others. One of these is obscure but often very important: ICMP Path MTU Discovery.

I know what you’re saying, “You’re killing me with these acronyms!” But please bear with me..

“MTU” is “Maximum Transmission Unit”. It’s the largest packet that can be sent over a particular link. For instance, the MTU on plain old Ethernet is generally 1500 bytes. If the two ends of a connection on the Internet try to send packets bigger than the MTU of a particular link, the packet could get thrown away. So Path MTU Discovery figures out a maximum packet size that can traverse the entire network. The computers on either end use that packet size and all is good!

Except that many NAT routers (most, in fact) break Path MTU Discovery, so they put in place workarounds. Except the workarounds don’t work when you have (drum roll please) Double NAT.

Are you still with me? Good!

Double NAT is what happens when you have one NAT translation behind another NAT translation. This is a case where two is not better than one.
Unfortunately this is becoming very common because it’s now almost impossible to buy a WiFi base station that does not have NAT in it. Many, in fact, have NAT and do not allow you to turn it off. So, if you take one of these and plug it into the back of your DSL modem (which is also doing NAT), you end up with Double-NAT.

Double-NAT breaks other things besides Path MTU Discovery, such as file sharing between a laptop on the Wifi and a desktop on the DSL router.

Double-NAT generally bites DSL providers, as Cable internet modems now typically are “dumb bridges”, meaning they pass through a public IP address and do not do firewall or NAT. DSL modems as typically provided with for example Qwest DSL have NAT/firewall on by default.

You will see all kinds of odd behavior with Double-NAT. Some web sites may be slow. Some may not come up at all, or may come up sometimes but not others. You may be able to download certain emails but not certain other emails. It all depends on the size of packets generated by the endpoints, which can sometimes be somewhat random.

To solve this problem, you need to remove one of the NATs. You can remove the NAT in your DSL modem, or you can remove the NAT in your WiFi or other router. Which you can do will depend on your provider.